This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

SIGRed - 17 Year old DNS Vulnerability

JeremyKerwin
Valued Contributor
Valued Contributor

‎2020-07-14 07:14 PM

I'm sure many have heard about the recent DNS vulnerability titled SIGRed. This one looks pretty bad.

https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-se… 

 

I'm curious about how to best leverage NetWitness Logs Packets and Endpoint to best be prepared to detect and response to this sort of attack.

 

One of the detection suggestions is to detect large malformed DNS requests, is this easy to do with NW?

Labels:
3 REPLIES 3

DavidGassman2
Occasional Contributor
Occasional Contributor

‎2020-07-16 10:19 AM

Suggest looking at implementing logic as follows:


1) identifying DNS responses larger than 64 K bytes

- you could create an AppRule similar to this:  service=53 && payload.res=64000-u

 

2) identifying DNS query type is SIG record

- this is currently parsed out as dns.querytype = 'sig record'  {assuming you have the DNS_verbose_lua parser enabled}

 

You could combine all of this into a single AppRule

JeremyKerwin
Valued Contributor
Valued Contributor
In response to DavidGassman2

‎2020-07-17 01:28 AM

Thanks David, 

I have a play around with what you suggested. Thanks.

0 Likes

drewjc
Occasional Contributor
Occasional Contributor
In response to DavidGassman2

‎2020-07-31 03:55 PM

From a querying standpoint are you using the session size buckets populated in the session analysis metakey? Or are you indexing payload response sizes?

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.